Found a few new variants of SaveNet this morning. The new variant appear as Save On, SO.Booster and SO.Sustainer 1.80 in the Add/Remove programs dialog. These where found in a camera related software, and the setup file was digitally signed by Daneil Jemoch. Save On inserts ad links while you browse. The links are underlined with a green small arrow and are labeled “Click to Continue > by save on” as shown in the screenshot below:
These are the detection results from VirusTotal for SO.Booster.exe:
If you have Save On, SO.Booster and SO.Sustainer 1.80 on your machine, you may have noticed a file called SO.Booster.exe or SO;Booster.exe running on your computer at startup or that new add-ons have appeared in your browser. Here’s a screenshot from Firefox that shows the SaveOn add-on:
The removal is pretty straightforward with the FreeFixer removal tool. Simply check the SaveOn, SO.Booster and SO.Sustainer files, as shown in the screenshots:
How did you get SaveOn on your machine?